Re: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS developers have security admin priviledges and can do whatever they want to the ACF2 database.

Command-level Assembler Resource Rule Example A command-level Assembler resource rule example follows: FUNCT CLI TYPE,C'A' TEST RECALCULATE FUNCTION BNE OTHER IF NOT, BYPASS * THE FOLLOWING ROUTINE WILL RECALCULATE PAYROLL AMOUNTS. * CALL CA ACF2 TO

Re: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS developers have security admin priviledges and can do whatever they want to the ACF2 database.

The issue with MUSASS (apparently an ACF2 term but applicable to any security product) is that the task itself has a SAF userid that is used for task-level accesses, but each logged in userid must be presented for user-level accesses. Unless this distinction is preserved meticulously, taskid

Re: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS developers have security admin priviledges and can do whatever they want to the ACF2 database.

Multiple Users in a Single Address Space. (MUSASS) In the CICS program there is a HLL interface to ACF2. Very easy to setup and use Steve -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Peter Hunkeler Sent: Thursday, April 6,

Re: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS developers have security admin priviledges and can do whatever they want to the ACF2 database.

> Peter - What are you attempting to do? > > Steve Me? Its not my thread, I just followed it with interest. I did not understand the term MUSASS. That's all. -- Peter Hunkeler -- For IBM-MAIN subscribe / signoff / archive

Re: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS developers have security admin priviledges and can do whatever they want to the ACF2 database.

Peter - What are you attempting to do? Steve -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mullen, Patrick Sent: Thursday, April 6, 2017 8:34 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Do you use CA-ACF2 and CICS or IMS? Be

Re: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS developers have security admin priviledges and can do whatever they want to the ACF2 database.

ACF2 speak for multi-user address space, eg CICS, IMS, DB2, as opposed to a single user address space like TSO, batch job. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Peter Hunkeler Sent: Thursday, April 06, 2017 12:16 AM To:

Re: AW: Re: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS developers have security admin priviledges and can do whatever they want to the ACF2 database.

Multiple User Address Space or MUSASS for short. MUSASS is a LOGONID attribute that is assigned via ACF command. It is assigned to an address space where multiple users are "active" in the address space. Examples of a MUSASS address space are CICS and IMS. There are others. On 4/6/2017

Re: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS developers have security admin priviledges and can do whatever they want to the ACF2 database.

Muilti-User Single Address Space System. Pretty much what it says. It's an ACF2 term that refers to things like CICS. Ant. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Peter Hunkeler Sent: Thursday, 6 April 2017 2:46 PM To:

AW: Re: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS developers have security admin priviledges and can do whatever they want to the ACF2 database.

> It's either APF authorization or running in a MUSASS address space, the > second one is the problem. Pardon my ignorance, but can you explain in a few words what a MUSASS address space is? -- Peter Hunkeler -- For

Re: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS developers have security admin priviledges and can do whatever they want to the ACF2 database.

Ray I was wondering when you were going to chime in Steve -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Leonardo Vaz Sent: Wednesday, April 5, 2017 1:30 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Do you use CA-ACF2 and CICS or

Re: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS developers have security admin priviledges and can do whatever they want to the ACF2 database.

Hello Ray! A pleasure to have a comment from one ACF2 developer himself. Yes, I am talking about SVC A. and I have absolutely no problems with supercall being used in an authorized environment, when you are authorized you are GOD-like, we all know that. My problem is the allowance of it

Re: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS developers have security admin priviledges and can do whatever they want to the ACF2 database.

Hello Don! That's my problem with it, that a non-APF module can do that, I am talking about a regular DFHRPL loaded module. Regards, Leo -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Grinsell, Don Sent: Wednesday, April 05, 2017

Re: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS developers have security admin priviledges and can do whatever they want to the ACF2 database.

Hello Tony! It's either APF authorization or running in a MUSASS address space, the second one is the problem. Regards, Leo -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tony Harminc Sent: Wednesday, April 05, 2017 1:45 PM To:

Re: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS developers have security admin priviledges and can do whatever they want to the ACF2 database.

It should also be noted that the vast majority of CICS application programs are loaded from the DFHRPL concatenation which contains many libraries that are not typically APF authorized. I think you are pretty safe. -- Donald Grinsell, Systems Programmer Enterprise Technology Services Bureau

Re: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS developers have security admin priviledges and can do whatever they want to the ACF2 database.

Leonardo, Do the CICS and IMS developers have WRITE or higher access to an APF authorized library? In other words, when they create a program to issue the ACF2 SVC A supercall request is that load library APF? I would assume that the program was link edited as AC(1). I was the ACF2

Re: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS developers have security admin priviledges and can do whatever they want to the ACF2 database.

On 5 April 2017 at 11:38, Leonardo Vaz wrote: > ACF2 has an SVC call facility called "Supercall Facility", which any program > executing under a CICS region or IMS region can use. If they do, they have > unrestricted read/write access to the ACF2 database. I thought use of

Re: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS developers have security admin priviledges and can do whatever they want to the ACF2 database.

For CA-ACF2 there is a HLI interface. Not Much to set up. As for changing authority levels. Can't be don -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Leonardo Vaz Sent: Wednesday, April 5, 2017 10:39 AM To:

Re: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS developers have security admin priviledges and can do whatever they want to the ACF2 database.

If you have not done so, you may also wish to post this question on the RACF list. The generic question SHOULD CIC/IMS be able to do this, could be a valid question for them To join, if you have not done so use this URL RACFhttp://www.listserv.uga.edu/archives/racf-l.html Lizette >

Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS developers have security admin priviledges and can do whatever they want to the ACF2 database.

"And that's working as designed" is the reply I got from CA... and they don't see it as a security exposure... Well, I do see it as a HUGE security exposure, and I would like to know what my fellow IBM-MAIN'ers think. ACF2 has an SVC call facility called "Supercall Facility", which any program